Resubmissions

08-12-2024 13:45

241208-q2cgqavpby 10

03-12-2024 09:57

241203-ly26rawjfj 10

02-12-2024 09:48

241202-ls1ezazmes 10

02-12-2024 09:16

241202-k8hz7avkcl 10

02-12-2024 08:33

241202-kf6ksaxmgv 10

01-12-2024 23:22

241201-3cyd4sxkhx 10

Analysis

  • max time kernel
    100s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2024 08:33

Errors

Reason
Machine shutdown

General

  • Target

    freehacks.exe

  • Size

    105.5MB

  • MD5

    4647bc264b4344c7ca47ae9adc130ba9

  • SHA1

    08280768ffd55e06203fc8f13d3e6f1745c7ee0c

  • SHA256

    742e3f0ca6967c947c99cbbff7f3eaa7f5059a1bba1714a20afee3d85312a439

  • SHA512

    9d2a9f90746e74819c441da86086fc716f2e9f54fbf77e4a1cfec2badb1d64b9fe0ba3e3f5304ad797613c27cb038fbddc551d4824b6445ab5f8d063e1424981

  • SSDEEP

    3145728:iZGbexf7I4RniT0BEI43vBrYwY+pOhdFs8rBb:isbexTi64/Bbp0KG

Malware Config

Extracted

Path

C:\Recovery\WindowsRE\README_HOW_TO_UNLOCK.TXT

Ransom Note
YOUR FILE HAS BEEN LOCKED In order to unlock your files, follow the instructions bellow: 1. Download and install Tor Browser 2. After a successful installation, run Tor Browser and wait for its initialization. 3. Type in the address bar: http://zvnvp2rhe3ljwf2m.onion 4. Follow the instructions on the site.
URLs

http://zvnvp2rhe3ljwf2m.onion

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies Windows Firewall 2 TTPs 3 IoCs
  • ASPack v2.12-2.42 5 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Modifies file permissions 1 TTPs 1 IoCs
  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 2 IoCs
  • Modifies registry key 1 TTPs 8 IoCs
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\freehacks.exe
    "C:\Users\Admin\AppData\Local\Temp\freehacks.exe"
    1⤵
      PID:3988
      • C:\Users\Admin\AppData\Roaming\Avoid.exe
        "C:\Users\Admin\AppData\Roaming\Avoid.exe"
        2⤵
          PID:3740
        • C:\Users\Admin\AppData\Roaming\ChilledWindows.exe
          "C:\Users\Admin\AppData\Roaming\ChilledWindows.exe"
          2⤵
            PID:404
          • C:\Users\Admin\AppData\Roaming\CookieClickerHack.exe
            "C:\Users\Admin\AppData\Roaming\CookieClickerHack.exe"
            2⤵
              PID:760
            • C:\Users\Admin\AppData\Roaming\CrazyNCS.exe
              "C:\Users\Admin\AppData\Roaming\CrazyNCS.exe"
              2⤵
                PID:2260
              • C:\Users\Admin\AppData\Roaming\Curfun.exe
                "C:\Users\Admin\AppData\Roaming\Curfun.exe"
                2⤵
                  PID:1232
                • C:\Users\Admin\AppData\Roaming\DesktopBoom.exe
                  "C:\Users\Admin\AppData\Roaming\DesktopBoom.exe"
                  2⤵
                    PID:2696
                  • C:\Users\Admin\AppData\Roaming\Flasher.exe
                    "C:\Users\Admin\AppData\Roaming\Flasher.exe"
                    2⤵
                      PID:3604
                    • C:\Users\Admin\AppData\Roaming\Hydra.exe
                      "C:\Users\Admin\AppData\Roaming\Hydra.exe"
                      2⤵
                        PID:2804
                      • C:\Users\Admin\AppData\Roaming\Launcher.exe
                        "C:\Users\Admin\AppData\Roaming\Launcher.exe"
                        2⤵
                          PID:1296
                        • C:\Users\Admin\AppData\Roaming\Melting.exe
                          "C:\Users\Admin\AppData\Roaming\Melting.exe"
                          2⤵
                            PID:4960
                          • C:\Users\Admin\AppData\Roaming\Popup.exe
                            "C:\Users\Admin\AppData\Roaming\Popup.exe"
                            2⤵
                              PID:1096
                            • C:\Users\Admin\AppData\Roaming\rickroll.exe
                              "C:\Users\Admin\AppData\Roaming\rickroll.exe"
                              2⤵
                                PID:4200
                              • C:\Users\Admin\AppData\Roaming\ScreenScrew.exe
                                "C:\Users\Admin\AppData\Roaming\ScreenScrew.exe"
                                2⤵
                                  PID:3744
                                • C:\Users\Admin\AppData\Roaming\Time.exe
                                  "C:\Users\Admin\AppData\Roaming\Time.exe"
                                  2⤵
                                    PID:4276
                                  • C:\Users\Admin\AppData\Roaming\Trololo.exe
                                    "C:\Users\Admin\AppData\Roaming\Trololo.exe"
                                    2⤵
                                      PID:4620
                                      • C:\Windows\SYSTEM32\taskkill.exe
                                        taskkill.exe /f /im explorer.exe
                                        3⤵
                                        • Kills process with taskkill
                                        PID:1824
                                      • C:\Windows\SYSTEM32\taskkill.exe
                                        taskkill.exe /f /im taskmgr.exe
                                        3⤵
                                        • Kills process with taskkill
                                        PID:2436
                                    • C:\Users\Admin\AppData\Roaming\Vista.exe
                                      "C:\Users\Admin\AppData\Roaming\Vista.exe"
                                      2⤵
                                        PID:1876
                                      • C:\Users\Admin\AppData\Roaming\Windows-KB2670838.msu.exe
                                        "C:\Users\Admin\AppData\Roaming\Windows-KB2670838.msu.exe"
                                        2⤵
                                          PID:2900
                                        • C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
                                          "C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe"
                                          2⤵
                                            PID:3116
                                          • C:\Users\Admin\AppData\Roaming\YouAreAnIdiot.exe
                                            "C:\Users\Admin\AppData\Roaming\YouAreAnIdiot.exe"
                                            2⤵
                                              PID:4372
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 1200
                                                3⤵
                                                • Program crash
                                                PID:2052
                                            • C:\Users\Admin\AppData\Roaming\Monoxidex86.harmless.exe
                                              "C:\Users\Admin\AppData\Roaming\Monoxidex86.harmless.exe"
                                              2⤵
                                                PID:1836
                                              • C:\Users\Admin\AppData\Roaming\RedBoot.exe
                                                "C:\Users\Admin\AppData\Roaming\RedBoot.exe"
                                                2⤵
                                                  PID:3992
                                                  • C:\Users\Admin\44363927\protect.exe
                                                    "C:\Users\Admin\44363927\protect.exe"
                                                    3⤵
                                                      PID:4264
                                                    • C:\Users\Admin\44363927\assembler.exe
                                                      "C:\Users\Admin\44363927\assembler.exe" -f bin "C:\Users\Admin\44363927\boot.asm" -o "C:\Users\Admin\44363927\boot.bin"
                                                      3⤵
                                                        PID:3496
                                                    • C:\Users\Admin\AppData\Roaming\RedEye.exe
                                                      "C:\Users\Admin\AppData\Roaming\RedEye.exe"
                                                      2⤵
                                                        PID:3872
                                                        • C:\Windows\SYSTEM32\NetSh.exe
                                                          NetSh Advfirewall set allprofiles state off
                                                          3⤵
                                                          • Modifies Windows Firewall
                                                          PID:2880
                                                      • C:\Users\Admin\AppData\Roaming\Rensenware.exe
                                                        "C:\Users\Admin\AppData\Roaming\Rensenware.exe"
                                                        2⤵
                                                          PID:3192
                                                          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
                                                            dw20.exe -x -s 840
                                                            3⤵
                                                              PID:4600
                                                          • C:\Users\Admin\AppData\Roaming\Rokku.exe
                                                            "C:\Users\Admin\AppData\Roaming\Rokku.exe"
                                                            2⤵
                                                              PID:1084
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\services\VSS" /v Start /t REG_DWORD /d 4 /f
                                                                3⤵
                                                                  PID:4380
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
                                                                  3⤵
                                                                    PID:6632
                                                                  • C:\Windows\SysWOW64\net.exe
                                                                    "C:\Windows\System32\net.exe" stop vss
                                                                    3⤵
                                                                      PID:7908
                                                                    • C:\Windows\SysWOW64\net.exe
                                                                      "C:\Windows\System32\net.exe" stop srservice
                                                                      3⤵
                                                                        PID:7088
                                                                    • C:\Users\Admin\AppData\Roaming\satan.exe
                                                                      "C:\Users\Admin\AppData\Roaming\satan.exe"
                                                                      2⤵
                                                                        PID:1448
                                                                        • C:\Users\Admin\AppData\Roaming\satan.exe
                                                                          "C:\Users\Admin\AppData\Roaming\satan.exe"
                                                                          3⤵
                                                                            PID:4352
                                                                            • C:\Users\Admin\AppData\Roaming\Huule\utez.exe
                                                                              "C:\Users\Admin\AppData\Roaming\Huule\utez.exe"
                                                                              4⤵
                                                                                PID:2724
                                                                                • C:\Users\Admin\AppData\Roaming\Huule\utez.exe
                                                                                  "C:\Users\Admin\AppData\Roaming\Huule\utez.exe"
                                                                                  5⤵
                                                                                    PID:116
                                                                                    • C:\Windows\System32\vssadmin.exe
                                                                                      "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
                                                                                      6⤵
                                                                                      • Interacts with shadow copies
                                                                                      PID:1616
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_c0ee7394.bat"
                                                                                  4⤵
                                                                                    PID:3276
                                                                              • C:\Users\Admin\AppData\Roaming\Satana.exe
                                                                                "C:\Users\Admin\AppData\Roaming\Satana.exe"
                                                                                2⤵
                                                                                  PID:2304
                                                                                • C:\Users\Admin\AppData\Roaming\Seftad.exe
                                                                                  "C:\Users\Admin\AppData\Roaming\Seftad.exe"
                                                                                  2⤵
                                                                                    PID:3912
                                                                                  • C:\Users\Admin\AppData\Roaming\SporaRansomware.exe
                                                                                    "C:\Users\Admin\AppData\Roaming\SporaRansomware.exe"
                                                                                    2⤵
                                                                                      PID:2332
                                                                                      • C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                        "C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
                                                                                        3⤵
                                                                                          PID:7692
                                                                                      • C:\Users\Admin\AppData\Roaming\ViraLock.exe
                                                                                        "C:\Users\Admin\AppData\Roaming\ViraLock.exe"
                                                                                        2⤵
                                                                                          PID:4112
                                                                                          • C:\Users\Admin\bekssQkE\rewYoMIQ.exe
                                                                                            "C:\Users\Admin\bekssQkE\rewYoMIQ.exe"
                                                                                            3⤵
                                                                                              PID:4000
                                                                                            • C:\ProgramData\zKsEcAUY\DWAMgEAA.exe
                                                                                              "C:\ProgramData\zKsEcAUY\DWAMgEAA.exe"
                                                                                              3⤵
                                                                                                PID:2676
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ViraLock"
                                                                                                3⤵
                                                                                                  PID:4268
                                                                                                  • C:\Users\Admin\AppData\Roaming\ViraLock.exe
                                                                                                    C:\Users\Admin\AppData\Roaming\ViraLock
                                                                                                    4⤵
                                                                                                      PID:5824
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ViraLock"
                                                                                                        5⤵
                                                                                                          PID:3060
                                                                                                          • C:\Users\Admin\AppData\Roaming\ViraLock.exe
                                                                                                            C:\Users\Admin\AppData\Roaming\ViraLock
                                                                                                            6⤵
                                                                                                              PID:2396
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ViraLock"
                                                                                                                7⤵
                                                                                                                  PID:5840
                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
                                                                                                                  7⤵
                                                                                                                  • Modifies registry key
                                                                                                                  PID:832
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mukUIwwY.bat" "C:\Users\Admin\AppData\Roaming\ViraLock.exe""
                                                                                                                  7⤵
                                                                                                                    PID:100
                                                                                                                    • C:\Windows\SysWOW64\cscript.exe
                                                                                                                      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
                                                                                                                      8⤵
                                                                                                                        PID:89352
                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
                                                                                                                  5⤵
                                                                                                                  • Modifies registry key
                                                                                                                  PID:5604
                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
                                                                                                                  5⤵
                                                                                                                  • Modifies registry key
                                                                                                                  PID:6068
                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
                                                                                                                  5⤵
                                                                                                                  • Modifies registry key
                                                                                                                  PID:5636
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fyMMocwY.bat" "C:\Users\Admin\AppData\Roaming\ViraLock.exe""
                                                                                                                  5⤵
                                                                                                                    PID:5220
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
                                                                                                                3⤵
                                                                                                                • Modifies registry key
                                                                                                                PID:1856
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
                                                                                                                3⤵
                                                                                                                • Modifies registry key
                                                                                                                PID:1052
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
                                                                                                                3⤵
                                                                                                                • Modifies registry key
                                                                                                                PID:3948
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XooAEUIs.bat" "C:\Users\Admin\AppData\Roaming\ViraLock.exe""
                                                                                                                3⤵
                                                                                                                  PID:2040
                                                                                                                  • C:\Windows\SysWOW64\cscript.exe
                                                                                                                    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
                                                                                                                    4⤵
                                                                                                                      PID:7592
                                                                                                                • C:\Users\Admin\AppData\Roaming\WannaCry.exe
                                                                                                                  "C:\Users\Admin\AppData\Roaming\WannaCry.exe"
                                                                                                                  2⤵
                                                                                                                    PID:1308
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      C:\Windows\system32\cmd.exe /c 139001733110330.bat
                                                                                                                      3⤵
                                                                                                                        PID:972
                                                                                                                        • C:\Windows\SysWOW64\cscript.exe
                                                                                                                          cscript //nologo c.vbs
                                                                                                                          4⤵
                                                                                                                            PID:644
                                                                                                                      • C:\Users\Admin\AppData\Roaming\WannaCrypt0r.exe
                                                                                                                        "C:\Users\Admin\AppData\Roaming\WannaCrypt0r.exe"
                                                                                                                        2⤵
                                                                                                                          PID:5100
                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                            attrib +h .
                                                                                                                            3⤵
                                                                                                                            • Views/modifies file attributes
                                                                                                                            PID:4400
                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                            icacls . /grant Everyone:F /T /C /Q
                                                                                                                            3⤵
                                                                                                                            • Modifies file permissions
                                                                                                                            PID:4968
                                                                                                                          • C:\Users\Admin\AppData\Roaming\taskdl.exe
                                                                                                                            taskdl.exe
                                                                                                                            3⤵
                                                                                                                              PID:5676
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c 101733110336.bat
                                                                                                                              3⤵
                                                                                                                                PID:5532
                                                                                                                                • C:\Windows\SysWOW64\cscript.exe
                                                                                                                                  cscript.exe //nologo m.vbs
                                                                                                                                  4⤵
                                                                                                                                    PID:5376
                                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                  attrib +h +s F:\$RECYCLE
                                                                                                                                  3⤵
                                                                                                                                  • Views/modifies file attributes
                                                                                                                                  PID:2520
                                                                                                                              • C:\Users\Admin\AppData\Roaming\WinlockerVB6Blacksod.exe
                                                                                                                                "C:\Users\Admin\AppData\Roaming\WinlockerVB6Blacksod.exe"
                                                                                                                                2⤵
                                                                                                                                  PID:1080
                                                                                                                                  • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Roaming\WinlockerVB6Blacksod.exe SETUPEXEDIR=C:\Users\Admin\AppData\Roaming\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
                                                                                                                                    3⤵
                                                                                                                                      PID:3864
                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Xyeta.exe
                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Xyeta.exe"
                                                                                                                                    2⤵
                                                                                                                                      PID:2280
                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 448
                                                                                                                                        3⤵
                                                                                                                                        • Program crash
                                                                                                                                        PID:5248
                                                                                                                                    • C:\Users\Admin\AppData\Roaming\$uckyLocker.exe
                                                                                                                                      "C:\Users\Admin\AppData\Roaming\$uckyLocker.exe"
                                                                                                                                      2⤵
                                                                                                                                        PID:5956
                                                                                                                                      • C:\Users\Admin\AppData\Roaming\7ev3n.exe
                                                                                                                                        "C:\Users\Admin\AppData\Roaming\7ev3n.exe"
                                                                                                                                        2⤵
                                                                                                                                          PID:1180
                                                                                                                                          • C:\Users\Admin\AppData\Local\system.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\system.exe"
                                                                                                                                            3⤵
                                                                                                                                              PID:7988
                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Annabelle.exe
                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Annabelle.exe"
                                                                                                                                            2⤵
                                                                                                                                              PID:3536
                                                                                                                                            • C:\Users\Admin\AppData\Roaming\BadRabbit.exe
                                                                                                                                              "C:\Users\Admin\AppData\Roaming\BadRabbit.exe"
                                                                                                                                              2⤵
                                                                                                                                                PID:5540
                                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                                                                                                                  3⤵
                                                                                                                                                    PID:5676
                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      /c schtasks /Delete /F /TN rhaegal
                                                                                                                                                      4⤵
                                                                                                                                                        PID:3776
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 03:50:00
                                                                                                                                                        4⤵
                                                                                                                                                          PID:5480
                                                                                                                                                        • C:\Windows\1D86.tmp
                                                                                                                                                          "C:\Windows\1D86.tmp" \\.\pipe\{766427B6-3C6E-4594-A866-DE279632F556}
                                                                                                                                                          4⤵
                                                                                                                                                            PID:5932
                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Birele.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Birele.exe"
                                                                                                                                                        2⤵
                                                                                                                                                          PID:7204
                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\DeriaLock.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\DeriaLock.exe"
                                                                                                                                                          2⤵
                                                                                                                                                            PID:7444
                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Dharma.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Dharma.exe"
                                                                                                                                                            2⤵
                                                                                                                                                              PID:6340
                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\NotPetya.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\NotPetya.exe"
                                                                                                                                                              2⤵
                                                                                                                                                                PID:1608
                                                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                  "C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
                                                                                                                                                                  3⤵
                                                                                                                                                                    PID:5196
                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Petya.A.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Petya.A.exe"
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:86472
                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Fagot.a.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Fagot.a.exe"
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:90980
                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\HeadTail.vbs"
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:91088
                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Heap41A.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Heap41A.exe"
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:91356
                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mantas.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Mantas.exe"
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:91744
                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Netres.a.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Netres.a.exe"
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:92148
                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Nople.exe
                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Nople.exe"
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:92268
                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\WinNuke.98.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\WinNuke.98.exe"
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:92760
                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4372 -ip 4372
                                                                                                                                                                                1⤵
                                                                                                                                                                                  PID:3812
                                                                                                                                                                                • C:\Windows\system32\AUDIODG.EXE
                                                                                                                                                                                  C:\Windows\system32\AUDIODG.EXE 0x33c 0x514
                                                                                                                                                                                  1⤵
                                                                                                                                                                                    PID:5116
                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2280 -ip 2280
                                                                                                                                                                                    1⤵
                                                                                                                                                                                      PID:5824
                                                                                                                                                                                    • C:\Windows\system32\msiexec.exe
                                                                                                                                                                                      C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                      1⤵
                                                                                                                                                                                        PID:3148
                                                                                                                                                                                        • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                          C:\Windows\syswow64\MsiExec.exe -Embedding DDD9E7CD3B275A071459328E94B5CC14
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:2800
                                                                                                                                                                                        • C:\Windows\system32\vssvc.exe
                                                                                                                                                                                          C:\Windows\system32\vssvc.exe
                                                                                                                                                                                          1⤵
                                                                                                                                                                                            PID:5512
                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                            schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1436431270 && exit"
                                                                                                                                                                                            1⤵
                                                                                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                            PID:6448
                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fff7e2246f8,0x7fff7e224708,0x7fff7e224718
                                                                                                                                                                                            1⤵
                                                                                                                                                                                              PID:2164
                                                                                                                                                                                            • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                              C:\Windows\system32\net1 stop swprv
                                                                                                                                                                                              1⤵
                                                                                                                                                                                                PID:5104
                                                                                                                                                                                              • C:\Windows\system32\OpenWith.exe
                                                                                                                                                                                                C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                  PID:3944
                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                                                  PID:6460
                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16281579576640049789,12380826594668021760,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                    PID:8004
                                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                    C:\Windows\system32\netsh.exe advfirewall reset
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                                                                                    PID:85292
                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16281579576640049789,12380826594668021760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                      PID:3628
                                                                                                                                                                                                    • C:\Windows\SysWOW64\ddraw32.dll
                                                                                                                                                                                                      C:\Windows\system32\ddraw32.dll :C:\Users\Admin\AppData\Roaming\Bumerang.exe
                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                        PID:90740
                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                        • Modifies registry key
                                                                                                                                                                                                        PID:90860
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 90728 -s 332
                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                        PID:26572
                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16281579576640049789,12380826594668021760,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2400 /prefetch:2
                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                          PID:26684
                                                                                                                                                                                                        • C:\Windows\system32\LogonUI.exe
                                                                                                                                                                                                          "LogonUI.exe" /flags:0x4 /state0:0xa388e055 /state1:0x41c64e6d
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                            PID:91012
                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16281579576640049789,12380826594668021760,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3176 /prefetch:2
                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                              PID:93940

                                                                                                                                                                                                            Network

                                                                                                                                                                                                            MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                            Replay Monitor

                                                                                                                                                                                                            Loading Replay Monitor...

                                                                                                                                                                                                            Downloads

                                                                                                                                                                                                            • C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.17816E042995A99EBF1F10E74D9E71B4BF097232BF195ED817711257C2F993EF

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              32KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              893072de91ecf0002fed14b0fc93370a

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              3224e95bb23603aa619106f71f9d1b2244962f86

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              bb2f6a7efa3ad2312f3a7d94e6a331e207ec3859bc55a3c520484e5bfe6d0b15

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              9e033da4351030ed22c47b352cae4126e5bca4838b60e51b85f75eda24f86f20f3195a9a18a01e56931bc8e799920952832f3500407411ba89566c46f8590938

                                                                                                                                                                                                            • C:\Recovery\WindowsRE\README_HOW_TO_UNLOCK.HTML

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              1KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              c784d96ca311302c6f2f8f0bee8c725b

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              dc68b518ce0eef4f519f9127769e3e3fa8edce46

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              a7836550412b0e0963d16d8442b894a1148326b86d119e4d30f1b11956380ef0

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              f97891dc3c3f15b9bc3446bc9d5913431f374aa54cced33d2082cf14d173a8178e29a8d9487c2a1ab87d2f6abf37e915f69f45c0d8b747ad3f17970645c35d98

                                                                                                                                                                                                            • C:\Recovery\WindowsRE\README_HOW_TO_UNLOCK.TXT

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              330B

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              04b892b779d04f3a906fde1a904d98bb

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              1a0d6cb6f921bc06ba9547a84b872ef61eb7e8a5

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              eb22c6ecfd4d7d0fcea5063201ccf5e7313780e007ef47cca01f1369ee0e6be0

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              e946aa4ac3ec9e5a178eac6f4c63a98f46bc85bed3efd6a53282d87aa56e53b4c11bb0d1c58c6c670f9f4ad9952b5e7fd1bb310a8bd7b5b04e7c607d1b74238a

                                                                                                                                                                                                            • C:\Users\Admin\44363927\assembler.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              589KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              7e3cea1f686207563c8369f64ea28e5b

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              a1736fd61555841396b0406d5c9ca55c4b6cdf41

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              2a5305369edb9c2d7354b2f210e91129e4b8c546b0adf883951ea7bf7ee0f2b2

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              4629bc32094bdb030e6c9be247068e7295599203284cb95921c98fcbe3ac60286670be7e5ee9f0374a4017286c7af9db211bd831e3ea871d31a509d7bbc1d6a3

                                                                                                                                                                                                            • C:\Users\Admin\44363927\protect.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              837KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              fd414666a5b2122c3d9e3e380cf225ed

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              de139747b42a807efa8a2dcc1a8304f9a29b862d

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              e61a8382f7293e40cb993ddcbcaa53a4e5f07a3d6b6a1bfe5377a1a74a8dcac6

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              9ab2163d7deff29c202ed88dba36d5b28f6c67e647a0cadb3d03cc725796e19e5f298c04b1c8523d1d1ee4307e1a5d6f8156fa4021627d6ca1bbd0830695ae05

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              264KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              c19ac0fae83b7df9dd72f90cc18ad5ed

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              f0e1d0fe0f132daed11029f85204ef66fb4f2b8e

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              04c881b111ca82565207d6712b723ff85da58ef192122f39f8921a1d56ab58a4

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              d93d685b8f765dba8bb0b93d9f66d81ed51d3624db9b2fa47579eb023b401eb206e82c1bddfe67ef03d1a1082b458baaf16d810adf730a7a71655591cfdb4800

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              9KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              7050d5ae8acfbe560fa11073fef8185d

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              5bc38e77ff06785fe0aec5a345c4ccd15752560e

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              84B

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              96134c9d6db0dd90c3226c5c0210bc05

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              6590a10437b24d11188abe6999ac1445c91eab53

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              f707725c0901d0bbee4dbc2e75668ee80604dd08f4ab54eb8b957732eaf501bc

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              493be61341e03d7783acb09d23959400206e6d1eebeb726971610f13aafdefd813766a275aca66de709972af6c0ec2d82baf486fb18652c420876a03383a70a5

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{ECD8DB39-F760-451B-ABE5-C5C56F31FEF4}.session

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              4KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              93ee0334361ab7f573516b441354a0a2

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              6a9f0cc871f0e97724aebc87c72662e42afe46c4

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              a31d3d03ccba1b18ba6dd1f4c79164caa05792ec5b3502386dc8b3ea0f77494d

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              a350f2710421c071cdd7c25e9d97900d5fd47f5725faf1e7f49e6061b511de66f7e3a26ad916f6c8597d9ca08a3cc516269c89be1478143509c137d7e0b153e0

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\GAIE.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              210KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              115f807cc59a2ede01156f15f892cbab

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              cf8e251ae55605c72d453222464216ecfa70ddac

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              ce09c45808760372686134e759ec7936bb2e9451bfee617d6819cf25d0b4df30

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              44ed0fba46f9be21e32e22e6c9af0304338d001ae938e4f4ec0772397dc007e8308d05da8eb0bd69d3e84594c7adcbc669d9f20d638c89dd7f4d500fb3717ab3

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\GAgY.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              230KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              f936d56e25eefae9b93f1f0b6111daee

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              68f5799c956cc52cc7b114ad773b9d1b999b9c0c

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              ca675ed534a64a86758cce2eb79e9ebd701650c2eaf76ce81ec501803eeb5f1b

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              bba01e1103d185b29150cc0e86ad94060bd9f8271856757774887ec3e374ab1d96246ce32d1b5b0ee8500cead81ff3993018d42db57ac71c9753820d66e843b7

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\YIga.ico

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              4KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              ee421bd295eb1a0d8c54f8586ccb18fa

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              bc06850f3112289fce374241f7e9aff0a70ecb2f

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\ac\mssql.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              4.9MB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              384fddd0afb7af22eb57e852437d5f0b

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              97dabe61cd782356a9f9e0d60c8b629fefd18948

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              0126727c826063b1e1b6548e0255c937b34b1d8e2c4213ff3af76d4180a0563b

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              27d5da934cc4b186557a777951f6138892f592c694a6f5fae26d7852102f1f3b27a46eb52628a2314d5850ba817d914d6ba6aaf417ac0de237ac125c2368f071

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\ac\zqnzzmhrbaixbd.sys

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              674KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              b2233d1efb0b7a897ea477a66cd08227

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              835a198a11c9d106fc6aabe26b9b3e59f6ec68fd

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              5fd17e3b8827b5bb515343bc4066be0814f6466fb4294501becac284a378c0da

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              6ca61854db877d767ce587ac3d7526cda8254d937a159fd985e0475d062d07ae83e7ff4f9f42c7e1e1cad5e1f408f6849866aa4e9e48b29d80510e5c695cee37

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\eYcI.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              328KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              59c85864b6bfacb32ea567eb11a6b996

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              6ab4e31912bb4d76e5e38d7f04327cb71ecdedc4

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              d96e8ee892a55f4b3cebeed11a5445fa1f988dd4149e476e370711f534fea118

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              014efbfce1378e0a453d6d3bd6a3bf3209564682841eb643ee6c241b122ea99f88867256f2d972c9f6729680d2abc1563dffc74c0b24e9b4c79cd93c79d5b3ab

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\gMMa.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              233KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              26ac811c16bfcd47e3ff00a686057168

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              3624fd1a7f458ae8754c47a25aed545cf5df0b15

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              6a688959cc9b4ec44e3f6691c05f5659dae265e8ec94aa814d7d8ef079422a87

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              2d08dd92f5e5be02bb244816b8592cd132259f12854563123e7cedf62e2e6d14330146da0e5ee62f69aaba5b9295592b1dee70f86440a8658a25e7119cfe6926

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\mukUIwwY.bat

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              112B

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              bae1095f340720d965898063fede1273

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              455d8a81818a7e82b1490c949b32fa7ff98d5210

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\owYs.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              314KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              42b83680930b704716879bb579d0ef1c

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              4b00a086502b93bcd7eeb6fb0169ca06c43423e6

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              3f5b0dd6ada714ee364e53006757a97047002bd4dbb45cbbafde93c9b2d57438

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              5fc65fe74c44b0e6bb55e723b7a47a177504ba6ea01f150db43e4a23ca1ef09db1a621766427e1e781af8a179e858974ae73ae0f0cbad58a161028fd764a976f

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\ssww.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              207KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              a19b01ab84640e9c51aa43e3537aa83b

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              f61f5baaca567889cd708e96bbaf44481e8c6c77

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              27eda458bb69e471286d0065199a72bf9aaab0dc8b20def1d980274079c5cce9

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              89361fbbad383acbd779bf8c8e380b953bf5e3a9c999474f6975c369fe85fd5eef909aa93628655957145195dc447b34e151cbd3455f7664d927fffb258b54a8

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\7ev3n.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              315KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              9f8bc96c96d43ecb69f883388d228754

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              61ed25a706afa2f6684bb4d64f69c5fb29d20953

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\@[email protected]

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              240KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              7bf2b57f2a205768755c07f238fb32cc

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              45356a9dd616ed7161a3b9192e2f318d0ab5ad10

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Avoid.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              248KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              20d2c71d6d9daf4499ffc4a5d164f1c3

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              38e5dcd93f25386d05a34a5b26d3fba1bf02f7c8

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              3ac8cc58dcbceaec3dab046aea050357e0e2248d30b0804c738c9a5b037c220d

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              8ffd56fb3538eb60da2dde9e3d6eee0dac8419c61532e9127f47c4351b6e53e01143af92b2e26b521e23cdbbf15d7a358d3757431e572e37a1eede57c7d39704

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\BadRabbit.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              431KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              fbbdc39af1139aebba4da004475e8839

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              de5c8d858e6e41da715dca1c019df0bfb92d32c0

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Birele.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              116KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              41789c704a0eecfdd0048b4b4193e752

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              fb1e8385691fa3293b7cbfb9b2656cf09f20e722

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\ChilledWindows.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              4.4MB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              6a4853cd0584dc90067e15afb43c4962

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              ae59bbb123e98dc8379d08887f83d7e52b1b47fc

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              feb223e0de9bd64e32dc4f3227e175b58196b5e614bca8c2df0bbca2442a564e39d66bcd465154149dc7ebbd3e1ca644ed09d9a9174b52236c76e7388cb9d996

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\CookieClickerHack.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              68KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              bc1e7d033a999c4fd006109c24599f4d

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              b927f0fc4a4232a023312198b33272e1a6d79cec

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              13adae722719839af8102f98730f3af1c5a56b58069bfce8995acd2123628401

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              f5d9b8c1fd9239894ec9c075542bff0bcef79871f31038e627ae257b8c1db9070f4d124448a78e60ccc8bc12f138102a54825e9d7647cd34832984c7c24a6276

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\CrazyNCS.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              122KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              d043ba91e42e0d9a68c9866f002e8a21

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              e9f177e1c57db0a15d1dc6b3e6c866d38d85b17c

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              6820c71df417e434c5ad26438c901c780fc5a80b28a466821b47d20b8424ef08

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              3e9783646e652e9482b3e7648fb0a5f7c8b6c386bbc373d5670d750f6f99f6137b5501e21332411609cbcc0c20f829ab8705c2835e2756455f6754c9975ac6bd

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Curfun.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              138KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              0b3b2dff5503cb032acd11d232a3af55

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              6efc31c1d67f70cf77c319199ac39f70d5a7fa95

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              ef878461a149024f3065121ff4e165731ecabef1b94b0b3ed2eda010ad39202b

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              484014d65875e706f7e5e5f54c2045d620e5cce5979bf7f37b45c613e6d948719c0b8e466df5d8908706133ce4c4b71a11b804417831c9dbaf72b6854231ea17

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\DeriaLock.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              484KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              0a7b70efba0aa93d4bc0857b87ac2fcb

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\DesktopBoom.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              1.1MB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              f0a661d33aac3a3ce0c38c89bec52f89

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              709d6465793675208f22f779f9e070ed31d81e61

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              c20e78ce9028299d566684d35b1230d055e5ea0e9b94d0aff58f650e0468778a

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              57cdb3c38f2e90d03e6dc1f9d8d1131d40d3919f390bb1783343c82465461319e70483dc3cd3efdbd9a62dfc88d74fc706f05d760ffd8506b16fd7686e414443

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Dharma.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              11.5MB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              928e37519022745490d1af1ce6f336f7

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              b7840242393013f2c4c136ac7407e332be075702

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              6fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              8040195ab2b2e15c9d5ffa13a47a61c709738d1cf5e2108e848fedf3408e5bad5f2fc5f523f170f6a80cb33a4f5612d3d60dd343d028e55cfc08cd2f6ed2947c

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Fagot.a.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              373KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              30cdab5cf1d607ee7b34f44ab38e9190

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              d4823f90d14eba0801653e8c970f47d54f655d36

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              1517527c1d705a6ebc6ec9194aa95459e875ac3902a9f4aab3bf24b6a6f8407f

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              b465f3b734beaea3951ff57759f13971649b549fafca71342b52d7e74949e152c0fbafe2df40354fc00b5dc8c767f3f5c6940e4ba308888e4395d8fd21e402b3

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Fantom.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              261KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              7d80230df68ccba871815d68f016c282

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              e10874c6108a26ceedfc84f50881824462b5b6b6

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Flasher.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              246KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              9254ca1da9ff8ad492ca5fa06ca181c6

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              70fa62e6232eae52467d29cf1c1dacb8a7aeab90

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Heap41A.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              451KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              4f30003916cc70fca3ce6ec3f0ff1429

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              7a12afdc041a03da58971a0f7637252ace834353

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              746153871f816ece357589b2351818e449b1beecfb21eb75a3305899ce9ae37c

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              e679a0f4b7292aedc9cd3a33cf150312ea0b1d712dd8ae8b719dedf92cc230330862f395e4f8da21c37d55a613d82a07d28b7fe6b5db6009ba8a30396caa5029

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Huule\utez.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              67KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              cbe600abb8cbe34b79b26ffbe4ca8e33

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              3ecfaf2b377045505dcb1f08685600267693d3f3

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              10ff63a960d4a01f973eb3fea15bb6056639dd3f4141e29ff66f4010d6faf904

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              1324073a3fb5702f787324b509fcdd7ae2e835c27a2345179186a8d42e034371a485d10731f3a6a71f1859252bb771e56a2637cd29575c558f2d0312959c3e2a

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Hydra.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              43KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              b2eca909a91e1946457a0b36eaf90930

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              3200c4e4d0d4ece2b2aadb6939be59b91954bcfa

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              0b6c0af51cde971b3e5f8aa204f8205418ab8c180b79a5ac1c11a6e0676f0f7c

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              607d20e4a46932c7f4d9609ef9451e2303cd79e7c4778fe03f444e7dc800d6de7537fd2648c7c476b9f098588dc447e8c39d8b21cd528d002dfa513a19c6ebbf

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Krotten.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              53KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              87ccd6f4ec0e6b706d65550f90b0e3c7

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              213e6624bff6064c016b9cdc15d5365823c01f5f

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Launcher.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              197KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              7506eb94c661522aff09a5c96d6f182b

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              329bbdb1f877942d55b53b1d48db56a458eb2310

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              d5b962dfe37671b5134f0b741a662610b568c2b5374010ee92b5b7857d87872c

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              d815a9391ef3d508b89fc221506b95f4c92d586ec38f26aec0f239750f34cf398eed3d818fa439f6aa6ed3b30f555a1903d93eeeec133b80849a4aa6685ec070

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Locky.AZ.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              181KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              0826df3aaa157edff9c0325f298850c2

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              ed35b02fa029f1e724ed65c2de5de6e5c04f7042

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              2e4319ff62c03a539b2b2f71768a0cfc0adcaedbcca69dbf235081fe2816248b

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              af6c5734fd02b9ad3f202e95f9ff4368cf0dfdaffe0d9a88b781b196a0a3c44eef3d8f7c329ec6e3cbcd3e6ab7c49df7d715489539e631506ca1ae476007a6a6

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\MadMan.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              2KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              a56d479405b23976f162f3a4a74e48aa

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              f4f433b3f56315e1d469148bdfd835469526262f

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              17d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mantas.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              40KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              53f25f98742c5114eec23c6487af624c

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              671af46401450d6ed9c0904402391640a1bddcc2

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              7b5dec6a48ee2114c3056f4ccb6935f3e7418ef0b0bc4a58931f2c80fc94d705

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              f460775308b34552c930c3f256cef1069b28421673d71e3fa2712b0467485861a98285925ae49f1adea1faf59265b964c873c12a3bb5de216122ac20084e1048

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Melting.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              12KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              833619a4c9e8c808f092bf477af62618

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              b4a0efa26f790e991cb17542c8e6aeb5030d1ebf

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              92a284981c7ca33f1af45ce61738479fbcbb5a4111f5498e2cb54931c8a36c76

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              4f231fc16339d568b5cf9353133aeae835eb262dab68bc80d92f37b43df64dce4fae0e913cbaa3bb61351a759aeecf9d280bc5779b0853c980559a654d6cca11

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Monoxidex86.harmless.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              131KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              bd65d387482def1fe00b50406f731763

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              d06a2ba2e29228f443f97d1dd3a8da5dd7df5903

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              1ab7375550516d7445c47fd9b551ed864f227401a14ff3f1ff0d70caca3bd997

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              351ecd109c4d49bc822e8ade73a9516c4a531ebcda63546c155e677dcff19708068dc588b2fcf30cad086238e8b206fc5f349d37dda02d3c3a8d9b570d92e4d9

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Netres.a.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              372KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              d543f8d2644b09445d9bc4a8a4b1a8c0

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              72a7b4fb767c47f15280c053fba80de1e44d7173

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              1c0e2b7981ffa9e86185b7a7aac93f13629d92d8f58769569483202b3a926ce5

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              9cd77db4a1fe1f0ec7779151714371c21ed798091d9022cec6643c79b2f3c87554a0b7f01c4014e59d0d1a131922a801413d37236ef1c49506f8e1aa5b96e167

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\NoMoreRansom.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              1.4MB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              63210f8f1dde6c40a7f3643ccf0ff313

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              57edd72391d710d71bead504d44389d0462ccec9

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Nople.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              50KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              7d595027f9fdd0451b069c0c65f2a6e4

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              a4556275c6c45e19d5b784612c68b3ad90892537

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              d2518df72d5cce230d98a435977d9283b606a5a4cafe8cd596641f96d8555254

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              b8f37ecc78affa30a0c7c00409f2db1e2fd031f16c530a8c1d4b4bffaa5d55ac235b11540c8a611ae1a90b748b04498e3954cfb1529236937ef693c6b20e893b

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\NotPetya.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              390KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              5b7e6e352bacc93f7b80bc968b6ea493

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              e686139d5ed8528117ba6ca68fe415e4fb02f2be

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              9d24af0cb00fb8a5e61e9d19cd603b5541a22ae6229c2acf498447e0e7d4145fee25c8ab9d5d5f18f554e6cbf8ca56b7ca3144e726d7dfd64076a42a25b3dfb6

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Popup.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              373KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              9c3e9e30d51489a891513e8a14d931e4

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              4e5a5898389eef8f464dee04a74f3b5c217b7176

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              f8f7b5f20ca57c61df6dc8ff49f2f5f90276a378ec17397249fdc099a6e1dcd8

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              bf45677b7dd6c67ad350ec6ecad5bc3f04dea179fae0ff0a695c69f7de919476dd7a69c25b04c8530a35119e4933f4a8c327ed6dcef892b1114dfd7e494a19a7

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\PowerPoint.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              136KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              70108103a53123201ceb2e921fcfe83c

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\RedBoot.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              1.2MB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              e0340f456f76993fc047bc715dfdae6a

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              d47f6f7e553c4bc44a2fe88c2054de901390b2d7

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              cac10c675d81630eefca49b2ac4cc83f3eb29115ee28a560db4d6c33f70bf24980e48bb48ce20375349736e3e6b23a1ca504b9367917328853fffc5539626bbc

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\RedEye.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              10.6MB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              e9e5596b42f209cc058b55edc2737a80

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              f30232697b3f54e58af08421da697262c99ec48b

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              9ac9f207060c28972ede6284137698ce0769e3695c7ad98ab320605d23362305

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              e542319beb6f81b493ad80985b5f9c759752887dc3940b77520a3569cd5827de2fcae4c2357b7f9794b382192d4c0b125746df5cf08f206d07b2b473b238d0c7

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Rensenware.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              96KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              60335edf459643a87168da8ed74c2b60

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              61f3e01174a6557f9c0bfc89ae682d37a7e91e2e

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              7bf5623f0a10dfa148a35bebd899b7758612f1693d2a9910f716cf15a921a76a

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              b4e5e4d4f0b4a52243d6756c66b4fe6f4b39e64df7790072046e8a3dadad3a1be30b8689a1bab8257cc35cb4df652888ddf62b4e1fccb33e1bbf1f5416d73efb

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Rokku.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              666KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              97512f4617019c907cd0f88193039e7c

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              24cfa261ee30f697e7d1e2215eee1c21eebf4579

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              438888ef36bad1079af79daf152db443b4472c5715a7b3da0ba24cc757c53499

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              cfbb8dd91434f917d507cb919aa7e6b16b7b2056d56185f6ad5b6149e05629325cdb3df907f58bb3f634b17a9989bf5b6d6b81f5396a3a556431742ed742ac4a

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Satana.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              49KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              46bfd4f1d581d7c0121d2b19a005d3df

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              5b063298bbd1670b4d39e1baef67f854b8dcba9d

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\ScreenScrew.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              111KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              e87a04c270f98bb6b5677cc789d1ad1d

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              8c14cb338e23d4a82f6310d13b36729e543ff0ca

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Seftad.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              48KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              86a3a3ce16360e01933d71d0bf1f2c37

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              af54089e3601c742d523b507b3a0793c2b6e60be

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              2ebe23ba9897d9c127b9c0a737ba63af8d0bcd76ec866610cc0b5de2f62b87bd

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              65a3571cf5b057d2c3ce101346947679f162018fa5eadf79c5a6af6c0a3bc9b12731ff13f27629b14983ef8bc73fa9782cc0a9e6c44b0ffc2627da754c324d6e

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\SporaRansomware.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              24KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              4a4a6d26e6c8a7df0779b00a42240e7b

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              8072bada086040e07fa46ce8c12bf7c453c0e286

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              c7a7b15d8dbf8e8f8346a4dab083bb03565050281683820319906da4d23b97b39e88f841b30fc8bd690c179a8a54870238506ca60c0f533d34ac11850cdc1a95

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Time.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              111KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              9d0d2fcb45b1ff9555711b47e0cd65e5

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              958f29a99cbb135c92c5d1cdffb9462be35ee9fd

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              dc476ae39effdd80399b6e36f1fde92c216a5bbdb6b8b2a7ecbe753e91e4c993

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              8fd4ce4674cd52a3c925149945a7a50a139302be17f6ee3f30271ebe1aa6d92bcb15a017dca989cd837a5d23cd56eaacc6344dc7730234a4629186976c857ca9

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Trololo.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              3.0MB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              b6d61b516d41e209b207b41d91e3b90d

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              e50d4b7bf005075cb63d6bd9ad48c92a00ee9444

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              3d0efd55bde5fb7a73817940bac2a901d934b496738b7c5cab7ea0f6228e28fe

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              3217fc904e4c71b399dd273786634a6a6c19064a9bf96960df9b3357001c12b9547813412173149f6185eb5d300492d290342ec955a8347c6f9dcac338c136da

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\UIWIX.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              211KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              a933a1a402775cfa94b6bee0963f4b46

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              18aa7b02f933c753989ba3d16698a5ee3a4d9420

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              146581f0b3fbe00026ee3ebe68797b0e57f39d1d8aecc99fdc3290e9cfadc4fc

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              d83da3c97ffd78c42f49b7bfb50525e7c964004b4b7d9cba839c0d8bf3a5fe0424be3b3782e33c57debc6b13b5420a3fa096643c8b7376b3accfb1bc4e7d7368

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\USC93-99FTZ-TRTXH-THTZY.HTML

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              8KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              00c8d1d04b6c603ddd43695dc07531e5

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              1bb748f766780ce600f7090c50952d6273664bd9

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              fcda276d2fa8a7365274c8de257103f7079d109d7277c436cc02c6a00a740245

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              61beb4618f5fe09cfb441c627f9a80fbf355d62c33cc4ab95fdfd5fa328d86814fb1f31e734a95e93fdb8d530e884a4df4ab4c039f5bf62133b99c95132ff1bf

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\USC93-99FTZ-TRTXH-THTZY.KEY

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              1KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              83fd14197bb0f74f63050a19de244ab1

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              38c7c7dfc2ac76da9e0db44efbf7f8a0c0a19046

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              ece32703b1533c8a7648dc972c156317a05b0599a4e7f1a599aefa8d1af20bfb

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              4f3328c997d5d18e7da5e0464fe590b9eee69d9d08eafa1f76cfe614f0f458f2229bfb8351524573f0f3d34e446afb6c71affa0fdfdc0766afdacb2a614c3695

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\USC93-99FTZ-TRTXH-THTZY.LST

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              2KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              17d57b9f046f161fb779be765fcee940

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              d77658520a8786c150bbea35d35e4a88ea3ec2b8

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              5d21ade98be934aca1c86037ceb9d103c4a793c72469b2cdc36fbdf6f5d95e36

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              86c6930b33c61cad02c18229602bf0231f59873f308d4dbca2c541417cf2899f4dac6728cec2837b1feb34a3e9032f630c17dc58865a1611c99691c59cf11b90

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\ViraLock.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              194KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              8803d517ac24b157431d8a462302b400

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Vista.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              1.9MB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              faa6cb3e816adaeaabf2930457c79c33

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              6539de41b48d271bf4237e6eb09b0ee40f9a2140

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              6680317e6eaa04315b47aaadd986262cd485c8a4bd843902f4c779c858a3e31b

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              58859556771203d736ee991b651a6a409de7e3059c2afe81d4545864295c383f75cfbabf3cffaa0c412a6ec27bf939f0893c28152f53512c7885e597db8d2c66

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\WannaCry.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              224KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              5c7fb0927db37372da25f270708103a2

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              120ed9279d85cbfa56e5b7779ffa7162074f7a29

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\WannaCrypt0r.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              3.4MB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              84c82835a5d21bbcf75a61706d8ab549

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\WinNuke.98.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              32KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              eb9324121994e5e41f1738b5af8944b1

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              aa63c521b64602fa9c3a73dadd412fdaf181b690

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              2f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              7f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Windows-KB2670838.msu.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              728KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              6e49c75f701aa059fa6ed5859650b910

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              ccb7898c509c3a1de96d2010d638f6a719f6f400

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              f91f02fd27ada64f36f6df59a611fef106ff7734833dea825d0612e73bdfb621

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              ccd1b581a29de52d2313a97eb3c3b32b223dba1e7a49c83f7774b374bc2d16b13fba9566de6762883f3b64ed8e80327b454e5d32392af2a032c22653fed0fff8

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              760KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              515198a8dfa7825f746d5921a4bc4db9

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              e1da0b7f046886c1c4ff6993f7f98ee9a1bc90ae

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              0fda176b199295f72fafc3bc25cefa27fa44ed7712c3a24ca2409217e430436d

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              9e47037fe40b79ebf056a9c6279e318d85da9cd7e633230129d77a1b8637ecbafc60be38dd21ca9077ebfcb9260d87ff7fcc85b8699b3135148fe956972de3e8

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              1010KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              27bc9540828c59e1ca1997cf04f6c467

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              bfa6d1ce9d4df8beba2bedf59f86a698de0215f3

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              05c18698c3dc3b2709afd3355ad5b91a60b2121a52e5fcc474e4e47fb8e95e2a

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              a3ae822116cddb52d859de7ffc958541bb47c355a835c5129aade9cc0e5fba3ff25387061deb5b55b5694a535f09fe8669485282eb6e7c818cc7092eb3392848

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\WinlockerVB6Blacksod.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              2.4MB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              dbfbf254cfb84d991ac3860105d66fc6

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              893110d8c8451565caa591ddfccf92869f96c242

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Xyeta.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              84KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              9d15a3b314600b4c08682b0202700ee7

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              208e79cdb96328d5929248bb8a4dd622cf0684d1

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              3ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              9916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\YouAreAnIdiot.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              424KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              e263c5b306480143855655233f76dc5a

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              e7dcd6c23c72209ee5aa0890372de1ce52045815

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              1f69810b8fe71e30a8738278adf09dd982f7de0ab9891d296ce7ea61b3fa4f69

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              e95981eae02d0a8bf44493c64cca8b7e50023332e91d75164735a1d0e38138f358100c93633ff3a0652e1c12a5155cba77d81e01027422d7d5f71000eafb4113

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\msg\m_finnish.wnry

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              37KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              35c2f97eea8819b1caebd23fee732d8f

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              e354d1cc43d6a39d9732adea5d3b0f57284255d2

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\rickroll.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              129KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              0ec108e32c12ca7648254cf9718ad8d5

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              78e07f54eeb6af5191c744ebb8da83dad895eca1

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              48b08ea78124ca010784d9f0faae751fc4a0c72c0e7149ded81fc03819f5d723

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              1129e685f5dd0cb2fa22ef4fe5da3f1e2632e890333ce17d3d06d04a4097b4d9f4ca7d242611ffc9e26079900945cf04ab6565a1c322e88e161f1929d18a2072

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\satan.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              184KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              c9c341eaf04c89933ed28cbc2739d325

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              c5b7d47aef3bd33a24293138fcba3a5ff286c2a8

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              1a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              7cfa6ec0be0f5ae80404c6c709a6fd00ca10a18b6def5ca746611d0d32a9552f7961ab0ebf8a336b27f7058d700205be7fcc859a30d7d185aa9457267090f99b

                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\u.wry

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              236KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              cf1416074cd7791ab80a18f9e7e219d9

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              276d2ec82c518d887a8a3608e51c56fa28716ded

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

                                                                                                                                                                                                            • C:\Users\Admin\Documents\sweet.jpg

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              23KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              58b1840b979ae31f23aa8eb3594d5c17

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              6b28b8e047cee70c7fa42715c552ea13a5671bbb

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              b2bb460aa299c6064e7fc947bff314e0f915c6ee6f8f700007129e3b6a314f47

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              13548e5900bddc6797d573fcca24cec1f1eefa0662e9d07c4055a3899460f4e135e1c76197b57a49b452e61e201cb86d1960f3e8b00828a2d0031dc9aa78666a

                                                                                                                                                                                                            • C:\Users\Admin\Music\BackupAssert.AAC.RedEye.deria

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              16B

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              089e1478ef397d25f21efcd8155c523c

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              c14362a50de14be99a17b654acee55be83ae65db

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              0b1cdf7dce718a9f29733c9d9228630fe255db9a7f47aa76595277da253258b3

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              5fb32911b765e2063ddb0825376538073adb6ea9b276b52756d1425f04ded443722d456648ae5f005dc63cd667bd5383ef9ad9e35233f9028f36d2744e4306dc

                                                                                                                                                                                                            • C:\Users\Admin\bekssQkE\rewYoMIQ.exe

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              187KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              c60963d62688a29439f3171ea9bbf069

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              f0b9d004ec4933bd9c214fb3a7cb7596876f8dd9

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              2366ef49e531e65698bd85def656903450dc84f8d9369bfb3a2905ac6ddb07aa

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              d7ad16601cbd588ed731ff5cfffce6a579ff1963b26fab21077685bc3df224e39fdedac1ef7b2fc97de08d61fe6f0642db652eebf1e4bf1056ee5ccd8e632fa7

                                                                                                                                                                                                            • C:\Windows\Installer\MSI2DC6.tmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              180KB

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              d552dd4108b5665d306b4a8bd6083dde

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              dae55ccba7adb6690b27fa9623eeeed7a57f8da1

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969

                                                                                                                                                                                                            • C:\v1.log

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              479B

                                                                                                                                                                                                              MD5

                                                                                                                                                                                                              e7909628c791baa19bd7b200b28b4263

                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                              446bbba1d49da2f4d88ebf4b7250d09a0501a8eb

                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                              7afc493b858635b0f20c32fc2fdaa62fa81fa42683c755763ab00c15e773d883

                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                              d7bbb4412ba499269d57f98672882204091b7fca5c0b38b6adcbd5eb4504b3365f8a29d38129d6012f2dc639ecec755155306f6bd1fea79e60d65fc1c195d9fb

                                                                                                                                                                                                            • memory/404-250-0x000000001F780000-0x000000001F78E000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              56KB

                                                                                                                                                                                                            • memory/404-53-0x0000000000D80000-0x00000000011E4000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              4.4MB

                                                                                                                                                                                                            • memory/404-56-0x00007FFF76500000-0x00007FFF76FC1000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              10.8MB

                                                                                                                                                                                                            • memory/404-410-0x00007FFF76500000-0x00007FFF76FC1000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              10.8MB

                                                                                                                                                                                                            • memory/404-214-0x0000000003300000-0x0000000003308000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              32KB

                                                                                                                                                                                                            • memory/404-249-0x000000001F7B0000-0x000000001F7E8000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              224KB

                                                                                                                                                                                                            • memory/760-58-0x0000000001070000-0x0000000001080000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              64KB

                                                                                                                                                                                                            • memory/760-74-0x000000001BCB0000-0x000000001C17E000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              4.8MB

                                                                                                                                                                                                            • memory/760-73-0x000000001B6F0000-0x000000001B796000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              664KB

                                                                                                                                                                                                            • memory/760-94-0x000000001C410000-0x000000001C45C000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              304KB

                                                                                                                                                                                                            • memory/760-81-0x000000001C2B0000-0x000000001C34C000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              624KB

                                                                                                                                                                                                            • memory/760-91-0x000000001B7A0000-0x000000001B7A8000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              32KB

                                                                                                                                                                                                            • memory/1084-818-0x0000000000400000-0x000000000058D000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              1.6MB

                                                                                                                                                                                                            • memory/1084-347-0x0000000000400000-0x000000000058D000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              1.6MB

                                                                                                                                                                                                            • memory/1308-399-0x0000000010000000-0x0000000010012000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              72KB

                                                                                                                                                                                                            • memory/1316-547-0x000001C2CB050000-0x000001C2CB067000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              92KB

                                                                                                                                                                                                            • memory/1536-544-0x0000017C542B0000-0x0000017C542C7000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              92KB

                                                                                                                                                                                                            • memory/1788-548-0x000001F8CE500000-0x000001F8CE517000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              92KB

                                                                                                                                                                                                            • memory/2064-546-0x0000026508720000-0x0000026508737000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              92KB

                                                                                                                                                                                                            • memory/2152-2714-0x0000000000400000-0x0000000000430000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              192KB

                                                                                                                                                                                                            • memory/2280-838-0x0000000000400000-0x000000000044F000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              316KB

                                                                                                                                                                                                            • memory/2332-378-0x0000000000400000-0x0000000000407200-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              28KB

                                                                                                                                                                                                            • memory/2396-1087-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              200KB

                                                                                                                                                                                                            • memory/2396-1242-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              200KB

                                                                                                                                                                                                            • memory/2724-578-0x0000000000D90000-0x0000000000E2E000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              632KB

                                                                                                                                                                                                            • memory/2724-580-0x0000000000E30000-0x0000000000ECB000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              620KB

                                                                                                                                                                                                            • memory/2804-170-0x0000000005020000-0x00000000050B2000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              584KB

                                                                                                                                                                                                            • memory/2804-167-0x00000000054D0000-0x0000000005A74000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              5.6MB

                                                                                                                                                                                                            • memory/2804-200-0x00000000051E0000-0x00000000051EA000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              40KB

                                                                                                                                                                                                            • memory/2804-156-0x0000000000780000-0x0000000000790000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              64KB

                                                                                                                                                                                                            • memory/2900-207-0x0000000000480000-0x000000000053C000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              752KB

                                                                                                                                                                                                            • memory/3116-660-0x0000000000400000-0x00000000006BC000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              2.7MB

                                                                                                                                                                                                            • memory/3116-225-0x0000000000400000-0x00000000006BC000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              2.7MB

                                                                                                                                                                                                            • memory/3536-827-0x000001E00A7D0000-0x000001E00B7C4000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              16.0MB

                                                                                                                                                                                                            • memory/3536-31388-0x000001E025E10000-0x000001E02739E000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              21.6MB

                                                                                                                                                                                                            • memory/3740-59-0x0000000002350000-0x0000000002351000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              4KB

                                                                                                                                                                                                            • memory/3872-302-0x00000247913A0000-0x0000024791E3C000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              10.6MB

                                                                                                                                                                                                            • memory/3872-968-0x00000247AC520000-0x00000247AD536000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              16.1MB

                                                                                                                                                                                                            • memory/3872-988-0x0000024793A40000-0x0000024793A46000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              24KB

                                                                                                                                                                                                            • memory/3988-0-0x00007FFF76503000-0x00007FFF76505000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              8KB

                                                                                                                                                                                                            • memory/3988-1-0x0000000000030000-0x0000000001030000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              16.0MB

                                                                                                                                                                                                            • memory/3988-377-0x00007FFF76503000-0x00007FFF76505000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              8KB

                                                                                                                                                                                                            • memory/3992-682-0x0000000000F20000-0x00000000011AE000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              2.6MB

                                                                                                                                                                                                            • memory/3992-251-0x0000000000F20000-0x00000000011AE000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              2.6MB

                                                                                                                                                                                                            • memory/4112-379-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              200KB

                                                                                                                                                                                                            • memory/4352-423-0x0000000000400000-0x0000000000412000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              72KB

                                                                                                                                                                                                            • memory/4352-419-0x0000000000400000-0x0000000000412000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              72KB

                                                                                                                                                                                                            • memory/4352-417-0x0000000000400000-0x0000000000412000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              72KB

                                                                                                                                                                                                            • memory/4372-244-0x0000000000610000-0x0000000000682000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              456KB

                                                                                                                                                                                                            • memory/4372-245-0x0000000004EC0000-0x0000000004F5C000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              624KB

                                                                                                                                                                                                            • memory/4372-253-0x0000000005220000-0x0000000005276000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              344KB

                                                                                                                                                                                                            • memory/4600-543-0x0000000000970000-0x0000000000987000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              92KB

                                                                                                                                                                                                            • memory/5824-918-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              200KB

                                                                                                                                                                                                            • memory/5824-841-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              200KB

                                                                                                                                                                                                            • memory/5956-645-0x0000000000430000-0x000000000049E000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              440KB

                                                                                                                                                                                                            • memory/6784-2754-0x0000000000140000-0x000000000017C000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              240KB

                                                                                                                                                                                                            • memory/7336-2647-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              1.4MB

                                                                                                                                                                                                            • memory/7444-2662-0x0000000000980000-0x0000000000A02000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              520KB

                                                                                                                                                                                                            • memory/7596-2763-0x00000000021C0000-0x00000000021F2000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              200KB

                                                                                                                                                                                                            • memory/7596-31284-0x0000000005310000-0x000000000531E000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              56KB

                                                                                                                                                                                                            • memory/7596-2757-0x0000000002180000-0x00000000021B2000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              200KB

                                                                                                                                                                                                            • memory/7960-2378-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              200KB

                                                                                                                                                                                                            • memory/7972-2685-0x0000000000400000-0x0000000000434000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              208KB

                                                                                                                                                                                                            • memory/87804-30557-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              228KB

                                                                                                                                                                                                            • memory/88928-30492-0x000000002AA00000-0x000000002AA24000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              144KB

                                                                                                                                                                                                            • memory/88928-30512-0x000000002AA00000-0x000000002AA24000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              144KB

                                                                                                                                                                                                            • memory/90536-30518-0x0000000000400000-0x0000000000410000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              64KB

                                                                                                                                                                                                            • memory/90728-30546-0x0000000000400000-0x0000000000410000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              64KB

                                                                                                                                                                                                            • memory/90728-31178-0x0000000000400000-0x0000000000410000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              64KB

                                                                                                                                                                                                            • memory/90740-30545-0x0000000000400000-0x0000000000410000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              64KB

                                                                                                                                                                                                            • memory/90740-30563-0x0000000000400000-0x0000000000410000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              64KB

                                                                                                                                                                                                            • memory/91744-30779-0x0000000000400000-0x0000000000413000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              76KB

                                                                                                                                                                                                            • memory/91744-31268-0x0000000000400000-0x0000000000413000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              76KB